Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package libsoup for openSUSE:Factory checked in at 2026-03-01 22:14:14 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/libsoup (Old) and /work/SRC/openSUSE:Factory/.libsoup.new.29461 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "libsoup" Sun Mar 1 22:14:14 2026 rev:166 rq:1335556 version:3.6.6 Changes: -------- --- /work/SRC/openSUSE:Factory/libsoup/libsoup.changes 2026-02-24 15:37:43.136225689 +0100 +++ /work/SRC/openSUSE:Factory/.libsoup.new.29461/libsoup.changes 2026-03-01 22:14:47.493881327 +0100 @@ -1,0 +2,7 @@ +Wed Feb 25 02:47:08 UTC 2026 - Jonathan Kang <[email protected]> + +- Add libsoup-CVE-2026-1539.patch: Also remove Proxy-Authorization + header on cross origin redirect + (bsc#1257441, CVE-2026-1539, glgo#GNOME/libsoup#489). + +------------------------------------------------------------------- @@ -59,0 +67,2 @@ + + libsoup-CVE-2026-1467.patch + + libsoup-CVE-2026-1760.patch @@ -61,0 +71,10 @@ + +------------------------------------------------------------------- +Thu Feb 20 14:51:21 UTC 2026 - Jonathan Kang <[email protected]> + +- Add libsoup-CVE-2026-1467.patch: uri-utils: do host validation + when checking if a GUri is valid + (bsc#1257398, CVE-2026-1467, glgo#GNOME/libsoup#488). +- Add libsoup-CVE-2026-1760.patch: server: close the connection + after responsing a request containing... + (bsc#1257597, CVE-2026-1760, glgo#GNOME/libsoup#475). New: ---- libsoup-CVE-2026-1539.patch ----------(New B)---------- New: - Add libsoup-CVE-2026-1539.patch: Also remove Proxy-Authorization header on cross origin redirect ----------(New E)---------- ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ libsoup.spec ++++++ --- /var/tmp/diff_new_pack.yo6OW0/_old 2026-03-01 22:14:48.617927524 +0100 +++ /var/tmp/diff_new_pack.yo6OW0/_new 2026-03-01 22:14:48.617927524 +0100 @@ -35,6 +35,8 @@ # PATCH-FIX-UPSTREAM libsoup-CVE-2026-2708.patch bsc#1258508 [email protected] -- do not allow adding multiple content length values to headers. Patch17: libsoup-CVE-2026-2708.patch +# PATCH-FIX-UPSTREAM libsoup-CVE-2026-1539.patch bsc#1257441, CVE-2026-1539, glgo#GNOME/libsoup#489 -- Also remove Proxy-Authorization header on cross origin redirect +Patch18: libsoup-CVE-2026-1539.patch BuildRequires: glib-networking BuildRequires: meson >= 0.53 ++++++ libsoup-CVE-2026-1539.patch ++++++ >From 98c1285d9d78662c38bf14b4a128af01ccfdb446 Mon Sep 17 00:00:00 2001 From: Carlos Garcia Campos <[email protected]> Date: Tue, 20 Jan 2026 13:17:42 +0100 Subject: [PATCH] Also remove Proxy-Authorization header on cross origin redirect Closes #489 --- libsoup/soup-session.c | 1 + tests/httpd.conf.in | 1 + tests/proxy-test.c | 34 ++++++++++++++++++++++++++++++++++ 3 files changed, 36 insertions(+) diff --git a/libsoup/soup-session.c b/libsoup/soup-session.c index 4e6b478b..e40437ff 100644 --- a/libsoup/soup-session.c +++ b/libsoup/soup-session.c @@ -1234,6 +1234,7 @@ soup_session_redirect_message (SoupSession *session, /* Strip all credentials on cross-origin redirect. */ if (!soup_uri_host_equal (soup_message_get_uri (msg), new_uri)) { soup_message_headers_remove_common (soup_message_get_request_headers (msg), SOUP_HEADER_AUTHORIZATION); + soup_message_headers_remove_common (soup_message_get_request_headers (msg), SOUP_HEADER_PROXY_AUTHORIZATION); soup_message_set_auth (msg, NULL); } diff --git a/tests/httpd.conf.in b/tests/httpd.conf.in index 809dc5ca..cc0a116e 100644 --- a/tests/httpd.conf.in +++ b/tests/httpd.conf.in @@ -34,6 +34,7 @@ LoadModule ssl_module @APACHE_SSL_MODULE_DIR@/mod_ssl.so DirectoryIndex index.txt TypesConfig /dev/null Redirect permanent /redirected /index.txt +Redirect permanent /Basic/realm1/redirected https://127.0.0.1:47525/index.txt # Prefer http1 for now because most of the tests expect http1 behavior. Protocols http/1.1 h2 diff --git a/tests/proxy-test.c b/tests/proxy-test.c index d730c8a7..68c97aca 100644 --- a/tests/proxy-test.c +++ b/tests/proxy-test.c @@ -269,6 +269,39 @@ do_proxy_redirect_test (void) soup_test_session_abort_unref (session); } +static void proxy_auth_redirect_message_restarted (SoupMessage *msg) +{ + if (soup_message_get_status (msg) != SOUP_STATUS_MOVED_PERMANENTLY) + return; + + g_assert_null (soup_message_headers_get_one (soup_message_get_request_headers (msg), "Proxy-Authorization")); +} + +static void +do_proxy_auth_redirect_test (void) +{ + SoupSession *session; + SoupMessage *msg; + char *url; + + SOUP_TEST_SKIP_IF_NO_APACHE; + SOUP_TEST_SKIP_IF_NO_TLS; + + session = soup_test_session_new ("proxy-resolver", proxy_resolvers[AUTH_PROXY], NULL); + + url = g_strconcat (HTTP_SERVER, "/Basic/realm1/redirected", NULL); + msg = soup_message_new (SOUP_METHOD_GET, url); + g_signal_connect (msg, "authenticate", G_CALLBACK (authenticate), NULL); + g_signal_connect (msg, "restarted", G_CALLBACK (proxy_auth_redirect_message_restarted), NULL); + + soup_test_session_send_message (session, msg); + soup_test_assert_message_status (msg, SOUP_STATUS_OK); + + g_free (url); + g_object_unref (msg); + soup_test_session_abort_unref (session); +} + static void do_proxy_auth_request (const char *url, SoupSession *session, gboolean do_read) { @@ -402,6 +435,7 @@ main (int argc, char **argv) g_test_add_data_func ("/proxy/fragment", base_uri, do_proxy_fragment_test); g_test_add_func ("/proxy/redirect", do_proxy_redirect_test); + g_test_add_func ("/proxy/auth-redirect", do_proxy_auth_redirect_test); g_test_add_func ("/proxy/auth-cache", do_proxy_auth_cache_test); g_test_add_data_func ("/proxy/connect-error", base_https_uri, do_proxy_connect_error_test); -- 2.52.0
